IDS mailing list archives
Re: Snort RPC Vulnerability
From: Bennett Todd <bet () rahul net>
Date: Mon, 3 Mar 2003 14:15:41 -0500
2003-03-03T14:03:25 netsecurity:
If you are using a receive only cable does this still represent a vulnerability?
Yup. The packets make it in to snort, and make snort blow, as it were. If you're running snort with a receive-only interface, an attacker will have some trouble assembling a really interesting exploit, since they won't be able to connect back to themselves the way the expect; if your mgmt interface can't connect out to the internet (or wherever snort is looking) it's harder still, but someone can take over the snort process and make it run arbitrary code. If you're running snort chrooted that'll mitigate the possible damage somewhat, likewise running it as a non-priv user. But if you don't want to upgrade more or less of immediately to 1.9.1 for whatever reason, then you really should #-out preprocessor rpc_decode. -Bennett
Attachment:
_bin
Description:
Current thread:
- Snort RPC Vulnerability Jason V. Miller (Mar 03)
- Re: Snort RPC Vulnerability netsecurity (Mar 03)
- Re: Snort RPC Vulnerability Jason V. Miller (Mar 03)
- RE: Snort RPC Vulnerability Rob Shein (Mar 03)
- Re: Snort RPC Vulnerability Bennett Todd (Mar 03)
- RE: Snort RPC Vulnerability Trey A Mujakporue (Mar 03)
- Re: Snort RPC Vulnerability netsecurity (Mar 03)